how to deal with order fraud when all info checks out?
I have a problem... for one of the sites I own, we sell a physical product over the internet. We use authorize.net for credit card processing as well as paypal.
we got 5 fraud orders over the "cyberweek / black Friday" period.
but weird fraud...
2 were via paypal, with shipping address being a confirmed paypal address. These 2 people called us asking why we sent them free stuff as their paypal accounts were not charged, but their name, address, and phone # were correct. Nobody has called to complain about charges to their paypal account yet.
the other 3 were credit card orders. billing and shipping addresses matched and were confirmed via authorize.net as well as the use of the security code on the credit card meaning they had the card present. The IP address of the person placing the order even matched the region where the order was shipped and billed to. These people want to charge-back the order. They say all the information is correct but the email address is not theirs. The order amounts were not even that large of orders as well as these people claim their credit cards weren't stolen or used inappropriately anywhere else.
BTW, we use the fraud detection suite from authorize.net and that cuts down of fraud a lot, but these few got through.
How in the world can you stop this and what are they thinking?
I doubt you can stop all fraud any more than a bricks and mortar store can stop shop lifting. You've got to build it into the price just like B&M stores do.
|the security code on the credit card meaning they had the card present. |
Not necessarily- it's only a 3-digit number, so someone with the CC number and billing address could brute force discover it in less than 1000 tries. (Or if it's AMEX, the 4-digit number could be brute forced with less than 10,000 tries.)
I take not having the (or not matching the correct) CVV code to be a red flag, but I don't assume a matching CVV is a green flag.
Since they (supposedly) didn't place the order, they obviously need to sent the products back to you. After you receive them, then issue refunds. If they refuse to return the products, it sounds suspiciously more like fraud by the card holders instead of fraud from stolen cards.
the security code on the credit card meaning they had the card present. - I can pass payments on mine with an incorrect number.....
authorize.net shows me that they used the correct #. one of these people has agreed to ship back the goods, but at my cost since he never ordered them. as these products are personal use products they're useless for us to get them back as we'd never resell them. I'm gonna tell the guy to keep them, but I want him to cancel his credit card and file a chargeback as if someone stole his card I want the card company to have an incentive to help me find the criminal.
|but I want him to cancel his credit card and file a chargeback as if someone stole his card I want the card company to have an incentive to help me find the criminal. |
Nice thought, but I think you'd be going about it in the totally wrong way. As far as the CC company is concerned, you are the criminal if he files a chargeback. Or at least you are party to the crime. I can think of ways to go about this without getting yourself $$#*$!.XX in chargeback fees:
Go here, for starters:
|I want the card company to have an incentive to help me find the criminal. |
You do NOT want him to file a chargeback- YOU will get stuck with the chargeback fee. Credit card companies have NO incentive to track down the criminals- any losses from fraud are shouldered by the merchant.
I wouldn't put much (any) hope with IC3 either. I've filed several complaints through them and have never heard anything back.
[edited by: LifeinAsia at 10:33 pm (utc) on Dec. 15, 2008]
Get an AVS match for billing address and a signature on delivery. If they do a chargeback have it reversed. Thats how you stop it. Yes, it's that easy.
Trying to decipher who said what and why is a losing battle.
I don't know about the Paypal charges. Those are wiggy. But the ones from the people who want to do a chargeback and say the email addy isn't theirs sounds like teenagers to me. Teenagers who have access to those cards and are either the children of the people who own them, babysitters, or something along those lines. This happened to me some time ago with just one order. After talking to the person for a while, turned out she was able to figure out who might have really ordered it--a niece.
I just heard about some merchants who are involved with Live Cashback were getting fraud orders which used the correct billing/shipping addresses and everything. Seems that in those cases fraudsters are doing it for the cashback.
I use authorizenet and find the fraud suite they offer is next to useless. For a start AVS only works in the US.
One thing i do is check the IP address on every order. It needs to match up with the address associated to the order. Fraudsters never have an IP location anywhere near the address. For example, a fraudster might give an address in California but the IP says they are in New York.
When I see this I send a "challenge email" which requires them to send government issued ID prior to processing the order.
Legit clients generally comply, fraudsters send false ID's or simply do not reply.
I've had over 13 years experience on the net and sales of over $20 Million. I've learnt a ton of stuff about fraudsters and how to beat them.
[edited by: eelixduppy at 5:20 am (utc) on Jan. 5, 2009]
[edit reason] no signatures, please [/edit]
Fraud can not be stopped but it can be prevented. Make sure you ship inside the United States, only ship to an address that you have gotten an avs match on and require a signature from FedEx or whoever you ship with.
People may still chargeback but you will win unless you use Paypal.... in that case... dont even bother ... you might as well kiss your money goodbye.
[edited by: lorax at 2:17 pm (utc) on Jan. 6, 2009]
[edit reason] no self-promo please [/edit]
Just point blank refusing international orders in order to avoid possible fraud is not a good way to conduct business, IMO. It's focusing on the risk instead of balancing risk against gain. And if I only shipped to addresses that matched AVS, I'd have to give up most shipments to PO boxes, to streets named after numbers, etc. And lots of customers hate signature confirmation, including me. I don't use it. Delivery confirmation is fine.
I do what I need to do to protect myself, but losing an occasional chargeback gains me a lot of business I would not have if I tried to be completely safe. Retail is all about risk.
I absolutely agree! Refusing to accept international orders is a ridiculous strategy. In fact the US is the worst location for fraud.
If you would like some real solutions and help to fight fraud contact me. I'm not allowed to post the link to my book here so you will need to contact me.
since I began making money on the net in 1995 I have processed millions of dollars worth of sales and have discovered the very best, cheapest and easiest ways to beat the fraudsters.
contact me and i'll give you a hand to solve this problem
You don't need to buy a book to tell you how to defend against fraud, you just have to use every tool at your disposal. It's not that difficult once you know what to look for. If you're going to run an ECommerce site, it is paramount that you have an understanding of how to defend yourself against fraudsters. You don't want to get picked up as an easy site to trick and then really start losing cash hand over fist, so it's important to use the internet to your advantage.
Of course we look to make sure the billing and shipping address are the same and match the AVS which is available in the US and some parts of Europe. This is actually why some companies don't accept international orders- because aside from the AVS system there's really no sound way of confirming that it's the cc billing address on the order.
Just remember, most importantly, the following:
Google is your friend.
Telephone numbers usually give the most away. #*$!-#*$!-#*$!X is the best format in my experience and usually returns some good information (or nothing at all, which is also good information). If you're still undecided you can call the number as most of those calls are either disconnected lines, or they go straight to voice mail (machine type voice). Put a hold on these orders and wait for them to inquire about the order. If they're real customers you know they're going to be up your ass in two days wondering where their shipments are!
Google Maps is also a great tool. Plug a shipping address in there and take a look at the neighborhood. Does it look like the kind of place your product might ship to? If it's an empty warehouse in a neighborhood of empty warehouses then you're probably ok to cancel.
The easiest way to determine whether an order is real or fake, in most cases, is to contact them directly and speak with an actual person. 99% of the time you're going to find that a fraud order doesn't have a courageous person available to be the face to the crime.
You also can't forget the sad fact that some of these fraud orders might be the kind where the purchaser simply files a chargeback. Courier services are happy to leave it at the door most of the time and there's honestly no way they can prove it was delivered to you. Credit Card companies are so scared of consumers that they're happy to simply take the money from hard working websites, AND penalize you for having a chargeback filed in the first place.
Okay, i've run out of steam. Time for bed. Nice thread though. I am certified in Computer Related Crime Investigation and am developing an informational site for Internet Security, so I enjoy when this topic comes up.
Fraud order came in complete match cvv number address, name, zip all matched. This would have been a send except it just didn't smell right to me. $400.00 order
1st- red flag was being shipped to an overseas docking area. I checked the card all checked out and usually it would be a ship except for my gut feeling.
2nd red flag Got the Cards issuing bank called them to check the telephone number on file this was not a match. I then asked the bank to contact the customer and was told we can't do that. (this is about par for a bank)
I used yellow pages and searched got a number and called him myself ending up a fraud order. He was very grateful to say the least and I told him how his bank acted and wouldn't call him to confirm the charge and suggested he find another bank to do business with.
Books are good, information is great but somethimes ya gotta go with that gut feeling...:)
1. CVV2 Match does NOT indicate card present. In fact, MOST fraudulent orders I've seen AVS Zip, AVS Address and CVV2 were all correct and verified, and the charge was fraudulent, and the cardholder called our customer service and said he had the card. I don't even believe physical cards anymore -- an article and video on wired.com showed that with a $10k printer and some supplies from China, anyone can manufacture almost identical NEW cards with the right mag stripe data, CVV code and even Gov't/State IDs that are passable at most places that check ID when using a credit card.
Why I don't trust even Physical Card Present transactions, nor faxed or PDF copies of IDs or Credit Cards: [wired.com...]
3. Like ispy said, do AVS Zip/Address verification and get a tracking number with signature confirmation on EVERY order. Do this, and you won't lose money, even if it is fraudulent.
4. As bwnbwn mentioned, use external sources to verify the data provided. Google the phone number(s), addresses, call the bank. I've used Experian to look up the credit card and the customer, for which I can usually find a phone number.
5. Ask for the phone number of customer service on the back of the card, as well as the billing phone number on the credit card. MinFraud accepts and will verify this data and will help you make a decision on orders.
I realize I sound like an advertisement for MinFraud, but it is fantastic, a great tool to minimize fraud. $0.004/query makes it SOOO cheap to do so on EVERY attempted transaction.
[edited by: lorax at 1:17 pm (utc) on Jan. 14, 2009]
Sorry about my violations of the TOS/Charter on this thread. I use a service that has REALLY shrunk my fraud exposure, and I love them to death for it. I guess I was too overenthusiastic about them though, and I understand that's not fair to everyone or the TOS of WebmasterWorld. I'm not sure how to post about it without violating the TOS/Charter, so if you want to know, PM me privately (as long as that is ok, the TOS doesn't mention you can't).
"MinFraud" looks intriguing, but I haven't gotten a fraud order for years.
I wonder if this system will help with increasing orders ($$) by giving consumers confidence in the security of a website.
Any thoughts or data on this?
|I wonder if this system will help with increasing orders ($$) by giving consumers confidence in the security of a website. |
If it does increase consumer confidence in security, I would say definitely. However, I am not sure they have a big enough market share/name recognition to elicit any reaction from consumers. If one of the big boys plastered their usage of Minfraud all over their site for a year...then yes. As things stand, I doubt there would be an immediate or noticable effect.
Plus you don't want to advertise the fact, as fraudsters might be willing to sign up for minfraud and figure out how to get around it. Thought MinFraud just scores transactions, you decide the score level that you'll accept.